Your message dated Sat, 27 Jul 2019 23:17:36 +0000 with message-id <e1hrvww-000eyc...@fasolo.debian.org> and subject line Bug#930024: fixed in neovim 0.1.7-4+deb9u1 has caused the Debian Bug report #930024, regarding neovim: CVE-2019-12735: Modelines allow arbitrary code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 930024: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930024 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: neovim Severity: important Tags: upstream Dear Maintainer, Neovim versions < 0.3.6 are subject to an Arbitrary Code Execution exploit via modelines, as described in this blogpost: https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim- neovim.md Upgrading the Neovim package to >= 0.3.6 fixes this exploit. -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: neovim Source-Version: 0.1.7-4+deb9u1 We believe that the bug you reported is fixed in the latest version of neovim, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 930...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James McCoy <james...@debian.org> (supplier of updated neovim package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 16 Jul 2019 01:05:10 -0400 Source: neovim Architecture: source Version: 0.1.7-4+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Vim Maintainers <pkg-vim-maintain...@lists.alioth.debian.org> Changed-By: James McCoy <james...@debian.org> Closes: 930024 Changes: neovim (0.1.7-4+deb9u1) stretch-security; urgency=high . * Backport upstream patches to address CVE-2019-12735 (Closes: #930024) + vim-patch-8.0.0649 and vim-patch-8.0.0650: autocmd open help 2 times + vim-patch:8.1.0066: nasty autocommand causes using freed memory + vim-patch:8.1.0067: syntax highlighting not working when re-entering a buffer + vim-patch:8.1.0177: defining function in sandbox is inconsistent + vim-patch:8.1.0189: function defined in sandbox not tested + vim-patch:8.1.0205: invalid memory access with invalid modeline + vim-patch:8.1.0506: modeline test fails when run by root + vim-patch:8.1.0538: evaluating a modeline might invoke using a shell command + vim-patch:8.1.0539: cannot build without the sandbox + vim-patch:8.1.0540: may evaluate insecure value when appending to option + vim-patch:8.1.0544: setting 'filetype' in a modeline causes an error + vim-patch:8.1.0546: modeline test with keymap fails + vim-patch:8.1.0547: modeline test with keymap still fails + vim-patch:8.1.0613: when executing an insecure function the secure flag is stuck + vim-patch:8.1.1046: the "secure" variable is used inconsistently + vim-patch:8.1.1365: :source should check sandbox + vim-patch:8.1.1366: using expressions in a modeline is unsafe + vim-patch:8.1.1367: can set 'modelineexpr' in modeline + vim-patch:8.1.1368: modeline test fails with python but without pythonhome + vim-patch:8.1.1382: error when editing test file + vim-patch:8.1.1401: misspelled mkspellmem as makespellmem Checksums-Sha1: 3fbc530c2c04e4d248b2d04c35bfdd04f1828924 2686 neovim_0.1.7-4+deb9u1.dsc be36bf8b80a37de7d2321fe9e8dc110331840006 7601279 neovim_0.1.7.orig.tar.gz 7d48778fcb3fc7c4901a48fd66c3bef46333a5f5 36020 neovim_0.1.7-4+deb9u1.debian.tar.xz 6d2551703b19ce8a8e22ca0d9c438e7c087e1d4e 8012 neovim_0.1.7-4+deb9u1_source.buildinfo Checksums-Sha256: 74aa8412d3403f335ce3ded2ca90d63970d661fc3564f3f3d46b487e0a2f4a46 2686 neovim_0.1.7-4+deb9u1.dsc d59b2e7d3e8756367bc8e3890fd5e1008e45f90e85c6a0f7d251b3889d756506 7601279 neovim_0.1.7.orig.tar.gz 358d52252262e6d22b89a467b0bff305ceadf99abcc109ff3208f900bd5fec6e 36020 neovim_0.1.7-4+deb9u1.debian.tar.xz c0de4b237afc1edbe62611c0b83bb4b2024fd6665591e16f77cfab9319a37f4e 8012 neovim_0.1.7-4+deb9u1_source.buildinfo Files: 34feacd0d01ff0d507dc781087cb9a32 2686 editors extra neovim_0.1.7-4+deb9u1.dsc 43b6ce7ff1c795acc2c4ac9d7e2ef9df 7601279 editors extra neovim_0.1.7.orig.tar.gz 1bff0da302dd0fca8adf7ec05426c053 36020 editors extra neovim_0.1.7-4+deb9u1.debian.tar.xz f75432bbc5b540de72a91d5f1567d372 8012 editors extra neovim_0.1.7-4+deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKoBAEBCgCSFiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAl02VnhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIUHGphbWVzc2Fu QGRlYmlhbi5vcmcACgkQ3+aRrjMbo9vOVxAAjrse3+BS/ulNx/kSy3v8tbJYq88B XNM22IbsN1CDbsCNByXnS8k0qzAoYl3xCWtVioG2+NEHqvQmPlfj4VD/3+OZdrWs 2KzkeF8OXXjJMqT+SgRHr66vfwXcQIzKewye1vBu0KVhTp/1sDmZWUdL4Di9+9JF 2UvRdVCA9LMPyfqOedK8GQfigwfMDob70sCAd2sPSvYqWg1g2Com6jKHKA48tLy8 eP5oLoJatOI5zg4Ym5Q9+Djhe8PumemqkTRrnNX6JCTxa5NRbkpj/H7BqUVKMhNt kA69N1qAiVdPmeVE5YmdBG679qZF4/8FVctG7pIkcOq5vJQTIDIoQJ/sMC0BYCpQ 8W0aij0uNp3xHQhuep9DrAme2wACXMZZAJ4WqgJJ5l4lVhbRbQk9fAI7n/HcNWHU C3YZWsb8uT25UsClkeUOjUqYG5KT5uavGieNZGPPWEY2kalenEl47FH5sTOZRuMm huR7aKnC0nW19RWm85Oog5smz0aU5XncQd/qrfIbHqLhLhAxkvCLSVmr9vb/4wVH FHoO+hPi2UwKe8fLfywaA8nA/96xuqJ+U/bbgslvqOz6zjAo27cw0cPpuvCyi8b4 +HnC5RUnkmQLZIpn/516Vfy4VqQqGbv3cfF9lA+0xAogyFidk7rB1+LsSDua0WPp oscjkDF8NQCXLPo= =2kH3 -----END PGP SIGNATURE-----
--- End Message ---
